Support machine certificate authentication

[elronzo]

Our VPN seems to require a machine cert AND user credentials (either username/password or a user cert).

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RemoteAccessVPN_AdminGuide/Topics-VPNRG/Machine-Certificate.htm states "The machine must be defined on a Microsoft AD server."

Is it possible to add machine auth to snx-rs somewhere in the future? Or is this feature too Windows-entangled?

[ancwrd1]

If you have that certificate in the external PFX file it might actually work out of the box.

[elronzo]

Unfortunately it does not. snx_rs trace says that it misses a machine cert. But the cert I have lacks the Windows specific Cert SAN field othername: UPN=hostname SAN field. Could this be the reason?

[ancwrd1]

May be you can provide some fragments from the trace-level logs, how does it look like?

Checkpoint documentation says that the first field in the certificate subject must be a hostname: CN=DESKTOP-12345, OU=Computers, DC=example, DC=com

[ancwrd1]

May be also provide a list of login types with factors (snxctl info or snx-rs -m info).

[elronzo]

Supported tunnel protocols: IPSec SSL Available login types: vpn_Username_Password (Username Password) factor 1: type = password, prompt = "Password" vpn (Standard) factor 1: type = certificate

AFAIK we do not actively use SSL anymore.

From our Windows-Clients I could see that they have CN=somehost@some.domain.com in the subject (apparently no OU or DC components there) and two fields in the SAN section. One is the othername field (UPN=SOMEHOST$@some.domain.com). The other one is DNS=somehost.some.domain.com

[elronzo]

snxctl connect -c ./snx-rs-cert.conf
Error: Incomplete ID payload received!

And in the trace I can see this:
`
NotificationPayload {
doi: 0,
protocol_id: Isakmp,
message_type: 37,
spi: b"",
data: b"Machine certificate is required\0(msg_obj\n\t:format (1.0)\n\t:id (VPN_MACHINE_CERT_ERR_2)\n\t:def_msg ("Machine certificate is required")\n\t:arguments ()\n)\n",
},

`

[ancwrd1]

And you are providing it in the config file, right? Via the cert-type=pkcs12, cert-path and cert-password parameters?

[elronzo]

I provided a certificate file in PEM format consisting of the certificate and its private key. Specified pkcs8 in the config.

Using PKCS12 makes no difference. I can see that the certificate is loaded somehow in the trace but the "next step" is "Machine certificate".

Some trace fragments - modified in order not to disclose any sensitive information here:
https://pastebin.com/2kBW9Nfk

[ancwrd1]

Ok, I think Check Point requires a specific payload (or perhaps a specific identification type) during IKE identity protection phase, see https://github.com/ancwrd1/isakmp/blob/ea250b6485ce251e1c0d7f61a836cb3fda4b1c55/src/ikev1/service.rs#L317

It probably requires some effort in reverse engineering the traffic from Windows client, which isn't an easy task.

[elronzo]

OK. Thanks for the discussion here!

So our only option is asking for a different login type for our Linux users, right? What would you consider an equally secure solution compared to machine cert plus user creds (cert or username/password) that works well with snx-rs? (Note: The machine cert was introduced to prevent users from connecting with non-authorized client devices.)

Could a client cert coming from FreeIPA work as a cert for VPN auth?

[ancwrd1]

OK. Thanks for the discussion here!

No prob.

So our only option is asking for a different login type for our Linux users, right? What would you consider an equally secure solution compared to machine cert plus user creds (cert or username/password) that works well with snx-rs? (Note: The machine cert was introduced to prevent users from connecting with non-authorized client devices.)

Usually it's either username/password with 2FA (e.g. TOTP) or the SAML/OAuth SSO via browser login, if some external identity provider is used like Microsoft Entra ID.

Could a client cert coming from FreeIPA work as a cert for VPN auth?

I don't see why wouldn't it, X.509 certificates are the same regardless of the issuer. One thing though, only RSA certificates are supported by snx-rs, EC-based ones will not work.

[elronzo]

Please allow me to ask another question. Can cert auth be combined with another factor? E.g. MS Authenticator OTP?

[ancwrd1]

Yes. If the result of the "snxctl info" command contains some factors which are not of the "certificate" type, snx-rs will ask for them.

[ancwrd1]

I have created a MITM proxy which can intercept and dump the packets from the Windows Check Point client: https://github.com/ancwrd1/cp-ikev1-proxy

Perhaps you can try it with your setup and machine certificates, to find out how does it communicate with the VPN server.

It's still in early stages so might not always work.

[elronzo]

In the meantime I managed to get a certificate that has the required SAN-Field othername as described above. When I try to use it with snx-rs I do get a "Builder Error".